Browse Source

temporarily disallow L7 traffic permissions (#19322)

pull/19493/head
skpratt 1 year ago committed by GitHub
parent
commit
896d8f5ec5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 1
      internal/auth/internal/types/errors.go
  2. 14
      internal/auth/internal/types/traffic_permissions.go
  3. 77
      internal/auth/internal/types/traffic_permissions_test.go

1
internal/auth/internal/types/errors.go

@ -12,4 +12,5 @@ var (
errSourceExcludes = errors.New("must be defined on wildcard sources") errSourceExcludes = errors.New("must be defined on wildcard sources")
errInvalidPrefixValues = errors.New("prefix values, regex values, and explicit names must not combined") errInvalidPrefixValues = errors.New("prefix values, regex values, and explicit names must not combined")
ErrWildcardNotSupported = errors.New("traffic permissions without explicit destinations are not yet supported") ErrWildcardNotSupported = errors.New("traffic permissions without explicit destinations are not yet supported")
ErrL7NotSupported = errors.New("traffic permissions with L7 rules are not yet supported")
) )

14
internal/auth/internal/types/traffic_permissions.go

@ -217,6 +217,13 @@ func validatePermission(p *pbauth.Permission, wrapErr func(error) error) error {
Wrapped: err, Wrapped: err,
}) })
} }
// TODO: remove this when L7 traffic permissions are implemented
if len(dest.PathExact) > 0 || len(dest.PathPrefix) > 0 || len(dest.PathRegex) > 0 || len(dest.Methods) > 0 || dest.Header != nil {
merr = multierror.Append(merr, wrapDestRuleErr(resource.ErrInvalidListElement{
Name: "destination_rule",
Wrapped: ErrL7NotSupported,
}))
}
if (len(dest.PathExact) > 0 && len(dest.PathPrefix) > 0) || if (len(dest.PathExact) > 0 && len(dest.PathPrefix) > 0) ||
(len(dest.PathRegex) > 0 && len(dest.PathExact) > 0) || (len(dest.PathRegex) > 0 && len(dest.PathExact) > 0) ||
(len(dest.PathRegex) > 0 && len(dest.PathPrefix) > 0) { (len(dest.PathRegex) > 0 && len(dest.PathPrefix) > 0) {
@ -234,6 +241,13 @@ func validatePermission(p *pbauth.Permission, wrapErr func(error) error) error {
Wrapped: err, Wrapped: err,
}) })
} }
// TODO: remove this when L7 traffic permissions are implemented
if len(excl.PathExact) > 0 || len(excl.PathPrefix) > 0 || len(excl.PathRegex) > 0 || len(excl.Methods) > 0 || excl.Header != nil {
merr = multierror.Append(merr, wrapDestRuleErr(resource.ErrInvalidListElement{
Name: "exclude_permission_rules",
Wrapped: ErrL7NotSupported,
}))
}
if (len(excl.PathExact) > 0 && len(excl.PathPrefix) > 0) || if (len(excl.PathExact) > 0 && len(excl.PathPrefix) > 0) ||
(len(excl.PathRegex) > 0 && len(excl.PathExact) > 0) || (len(excl.PathRegex) > 0 && len(excl.PathExact) > 0) ||
(len(excl.PathRegex) > 0 && len(excl.PathPrefix) > 0) { (len(excl.PathRegex) > 0 && len(excl.PathPrefix) > 0) {

77
internal/auth/internal/types/traffic_permissions_test.go

@ -65,10 +65,46 @@ func TestValidateTrafficPermissions(t *testing.T) {
}, },
"no-destination": { "no-destination": {
tp: &pbauth.TrafficPermissions{ tp: &pbauth.TrafficPermissions{
Action: pbauth.Action_ACTION_ALLOW,
Permissions: nil,
},
expectErr: `invalid "data.destination" field: cannot be empty`,
},
"source-tenancy": {
tp: &pbauth.TrafficPermissions{
Destination: &pbauth.Destination{
IdentityName: "w1",
},
Action: pbauth.Action_ACTION_ALLOW,
Permissions: []*pbauth.Permission{
{
Sources: []*pbauth.Source{
{
Partition: "ap1",
Peer: "cl1",
SamenessGroup: "sg1",
},
},
DestinationRules: nil,
},
},
},
expectErr: `invalid element at index 0 of list "permissions": invalid element at index 0 of list "sources": invalid element at index 0 of list "source": permissions sources may not specify partitions, peers, and sameness_groups together`,
},
// TODO: remove when L7 traffic permissions are implemented
"l7-fields-path": {
tp: &pbauth.TrafficPermissions{
Destination: &pbauth.Destination{
IdentityName: "w1",
},
Action: pbauth.Action_ACTION_ALLOW, Action: pbauth.Action_ACTION_ALLOW,
Permissions: []*pbauth.Permission{ Permissions: []*pbauth.Permission{
{ {
Sources: nil, Sources: []*pbauth.Source{
{
Partition: "ap1",
},
},
DestinationRules: []*pbauth.DestinationRule{ DestinationRules: []*pbauth.DestinationRule{
{ {
PathExact: "wi2", PathExact: "wi2",
@ -77,9 +113,9 @@ func TestValidateTrafficPermissions(t *testing.T) {
}, },
}, },
}, },
expectErr: `invalid "data.destination" field: cannot be empty`, expectErr: `invalid element at index 0 of list "permissions": invalid element at index 0 of list "destination_rules": invalid element at index 0 of list "destination_rule": traffic permissions with L7 rules are not yet supported`,
}, },
"source-tenancy": { "l7-fields-methods": {
tp: &pbauth.TrafficPermissions{ tp: &pbauth.TrafficPermissions{
Destination: &pbauth.Destination{ Destination: &pbauth.Destination{
IdentityName: "w1", IdentityName: "w1",
@ -89,16 +125,41 @@ func TestValidateTrafficPermissions(t *testing.T) {
{ {
Sources: []*pbauth.Source{ Sources: []*pbauth.Source{
{ {
Partition: "ap1", Partition: "ap1",
Peer: "cl1", },
SamenessGroup: "sg1", },
DestinationRules: []*pbauth.DestinationRule{
{
Methods: []string{"PUT"},
}, },
}, },
DestinationRules: nil,
}, },
}, },
}, },
expectErr: `invalid element at index 0 of list "permissions": invalid element at index 0 of list "sources": invalid element at index 0 of list "source": permissions sources may not specify partitions, peers, and sameness_groups together`, expectErr: `invalid element at index 0 of list "permissions": invalid element at index 0 of list "destination_rules": invalid element at index 0 of list "destination_rule": traffic permissions with L7 rules are not yet supported`,
},
"l7-fields-header": {
tp: &pbauth.TrafficPermissions{
Destination: &pbauth.Destination{
IdentityName: "w1",
},
Action: pbauth.Action_ACTION_ALLOW,
Permissions: []*pbauth.Permission{
{
Sources: []*pbauth.Source{
{
Partition: "ap1",
},
},
DestinationRules: []*pbauth.DestinationRule{
{
Header: &pbauth.DestinationRuleHeader{Name: "foo"},
},
},
},
},
},
expectErr: `invalid element at index 0 of list "permissions": invalid element at index 0 of list "destination_rules": invalid element at index 0 of list "destination_rule": traffic permissions with L7 rules are not yet supported`,
}, },
} }

Loading…
Cancel
Save